diff --git a/Dockerfile b/Dockerfile index c2abcf2..1da35ad 100644 --- a/Dockerfile +++ b/Dockerfile @@ -28,7 +28,10 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c chown root:nginx /var/log/nginx && \ chmod 750 /var/log/nginx && \ touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \ - chown nginx:nginx /var/log/nginx/*.log + chown nginx:nginx /var/log/nginx/*.log && \ + mkdir /acme-challenge && \ + chown root:nginx /acme-challenge && \ + chmod 750 /acme-challenge # Fix CVE-2020-28928 RUN apk --no-cache add "musl-utils>1.1.24-r2" diff --git a/Dockerfile-amd64 b/Dockerfile-amd64 index 71ef455..32d88f2 100644 --- a/Dockerfile-amd64 +++ b/Dockerfile-amd64 @@ -28,7 +28,10 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c chown root:nginx /var/log/nginx && \ chmod 750 /var/log/nginx && \ touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \ - chown nginx:nginx /var/log/nginx/*.log + chown nginx:nginx /var/log/nginx/*.log && \ + mkdir /acme-challenge && \ + chown root:nginx /acme-challenge && \ + chmod 750 /acme-challenge # Fix CVE-2020-28928 RUN apk --no-cache add "musl-utils>1.1.24-r2" diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7 index 3535af7..de25a51 100644 --- a/Dockerfile-arm32v7 +++ b/Dockerfile-arm32v7 @@ -35,7 +35,9 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c chown root:nginx /var/log/nginx && \ chmod 750 /var/log/nginx && \ touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \ - chown nginx:nginx /var/log/nginx/*.log + chown nginx:nginx /var/log/nginx/*.log && \ + chown root:nginx /acme-challenge && \ + chmod 750 /acme-challenge # Fix CVE-2020-28928 RUN apk --no-cache add "musl-utils>1.1.24-r2" diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8 index 3a7652e..ccd928d 100644 --- a/Dockerfile-arm64v8 +++ b/Dockerfile-arm64v8 @@ -35,7 +35,9 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c chown root:nginx /var/log/nginx && \ chmod 750 /var/log/nginx && \ touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \ - chown nginx:nginx /var/log/nginx/*.log + chown nginx:nginx /var/log/nginx/*.log && \ + chown root:nginx /acme-challenge && \ + chmod 750 /acme-challenge # Fix CVE-2020-28928 RUN apk --no-cache add "musl-utils>1.1.24-r2" diff --git a/Dockerfile-i386 b/Dockerfile-i386 index e8a5a43..1ccff06 100644 --- a/Dockerfile-i386 +++ b/Dockerfile-i386 @@ -28,7 +28,9 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c chown root:nginx /var/log/nginx && \ chmod 750 /var/log/nginx && \ touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \ - chown nginx:nginx /var/log/nginx/*.log + chown nginx:nginx /var/log/nginx/*.log && \ + chown root:nginx /acme-challenge && \ + chmod 750 /acme-challenge # Fix CVE-2020-28928 RUN apk --no-cache add "musl-utils>1.1.24-r2" diff --git a/confs/global/multisite-disable-default-server-https.conf b/confs/global/multisite-default-server-https.conf similarity index 93% rename from confs/global/multisite-disable-default-server-https.conf rename to confs/global/multisite-default-server-https.conf index 579d8c2..7f78bb9 100644 --- a/confs/global/multisite-disable-default-server-https.conf +++ b/confs/global/multisite-default-server-https.conf @@ -8,3 +8,4 @@ ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; %SSL_DHPARAM% %SSL_CIPHERS% +%LETS_ENCRYPT_WEBROOT% diff --git a/confs/global/multisite-default-server-lets-encrypt-webroot.conf b/confs/global/multisite-default-server-lets-encrypt-webroot.conf new file mode 100644 index 0000000..5b8e707 --- /dev/null +++ b/confs/global/multisite-default-server-lets-encrypt-webroot.conf @@ -0,0 +1,3 @@ +location ~ ^/.well-known/acme-challenge/ { + root /acme-challenge; +} diff --git a/confs/global/multisite-default-server.conf b/confs/global/multisite-default-server.conf new file mode 100644 index 0000000..fc48b42 --- /dev/null +++ b/confs/global/multisite-default-server.conf @@ -0,0 +1,6 @@ +server { + %LISTEN_HTTP% + server_name _; + %USE_HTTPS% + %MULTISITE_DISABLE_DEFAULT_SERVER% +} diff --git a/confs/global/multisite-disable-default-server.conf b/confs/global/multisite-disable-default-server.conf index 1cf8c08..9c2ea8a 100644 --- a/confs/global/multisite-disable-default-server.conf +++ b/confs/global/multisite-disable-default-server.conf @@ -1,6 +1,3 @@ -server { - %LISTEN_HTTP% - %USE_HTTPS% - server_name _; +location / { return 444; } diff --git a/confs/global/nginx-temp.conf b/confs/global/nginx-temp.conf new file mode 100644 index 0000000..4e9320b --- /dev/null +++ b/confs/global/nginx-temp.conf @@ -0,0 +1,20 @@ +daemon on; +pid /tmp/nginx.pid; + +events { + worker_connections 1024; + use epoll; +} + +http { + server { + listen 0.0.0.0:%HTTP_PORT% default_server; + server_name _; + location ~ ^/.well-known/acme-challenge/ { + root /acme-challenge; + } + location / { + return 444; + } + } +} diff --git a/confs/global/nginx.conf b/confs/global/nginx.conf index 7137413..ff09a52 100644 --- a/confs/global/nginx.conf +++ b/confs/global/nginx.conf @@ -100,8 +100,8 @@ http { # custom http confs include /http-confs/*.conf; - # disable default server when MULTISITE=yes - %MULTISITE_DISABLE_DEFAULT_SERVER% + # default server when MULTISITE=yes + %MULTISITE_DEFAULT_SERVER% # server config(s) %INCLUDE_SERVER% diff --git a/confs/site/https.conf b/confs/site/https.conf index a960cb8..623d190 100644 --- a/confs/site/https.conf +++ b/confs/site/https.conf @@ -9,3 +9,4 @@ ssl_session_cache shared:MozSSL:10m; %STRICT_TRANSPORT_SECURITY% %SSL_DHPARAM% %SSL_CIPHERS% +%LETS_ENCRYPT_WEBROOT% diff --git a/confs/site/lets-encrypt-webroot.conf b/confs/site/lets-encrypt-webroot.conf new file mode 100644 index 0000000..a5b14a9 --- /dev/null +++ b/confs/site/lets-encrypt-webroot.conf @@ -0,0 +1,3 @@ +location ^~ ^/.well-known/acme-challenge/ { + root /acme-challenge; +} diff --git a/entrypoint/defaults.sh b/entrypoint/defaults.sh index 5995668..9636277 100644 --- a/entrypoint/defaults.sh +++ b/entrypoint/defaults.sh @@ -1,7 +1,7 @@ #!/bin/bash MULTISITE="${MULTISITE-no}" -LOG_FORMAT="${LOG_FORMAT-\$remote_addr - \$remote_user \$host [\$time_local] \"$request\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\"}" +LOG_FORMAT="${LOG_FORMAT-\$remote_addr - \$remote_user \$host [\$time_local] \"\$request\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\"}" HTTP_PORT="${HTTP_PORT-8080}" HTTPS_PORT="${HTTPS_PORT-8443}" MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}" diff --git a/entrypoint/entrypoint.sh b/entrypoint/entrypoint.sh index 7935784..76fdcad 100644 --- a/entrypoint/entrypoint.sh +++ b/entrypoint/entrypoint.sh @@ -64,6 +64,9 @@ rsyslogd crond # start nginx +if [ -f "/tmp/nginx.pid" ] ; then + nginx -s quit +fi echo "[*] Running nginx ..." su -s "/usr/sbin/nginx" nginx @@ -97,6 +100,7 @@ fi # start the autoconf manager if [ -S "/var/run/docker.sock" ] ; then echo "[*] Running autoconf ..." + touch /var/log/autoconf.log /opt/autoconf/autoconf.py > /var/log/autoconf.log 2>&1 & LOGS="$LOGS /var/log/autoconf.log" fi diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh index 3696bdb..be1f99c 100644 --- a/entrypoint/global-config.sh +++ b/entrypoint/global-config.sh @@ -20,6 +20,12 @@ if [ "$ADDITIONAL_MODULES" != "" ] ; then apk add $ADDITIONAL_MODULES fi +# start nginx with temp conf for let's encrypt challenges +if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then + replace_in_file "/etc/nginx/nginx-temp.conf" "%HTTP_PORT%" "$HTTP_PORT" + nginx -c /etc/nginx/nginx-temp.conf +fi + # include server block(s) if [ "$MULTISITE" = "yes" ] ; then includes="" @@ -31,6 +37,48 @@ else replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "include /etc/nginx/server.conf;" fi +# setup default server block if multisite +if [ "$MULTISITE" = "yes" ] ; then + replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DEFAULT_SERVER%" "include /etc/nginx/multisite-default-server.conf;" + if [ "$(has_value LISTEN_HTTP yes)" != "" ] ; then + replace_in_file "/etc/nginx/multisite-default-server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT} default_server;" + else + replace_in_file "/etc/nginx/multisite-default-server.conf" "%LISTEN_HTTP%" "" + fi + if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$(has_value USE_CUSTOM_HTTPS yes)" != "" ] || [ "$(has_value GENERATE_SELF_SIGNED_SSL yes)" != "" ] ; then + replace_in_file "/etc/nginx/multisite-default-server.conf" "%USE_HTTPS%" "include /etc/nginx/multisite-default-server-https.conf;" + replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTPS_PORT%" "$HTTPS_PORT" + if [ "$(has_value HTTP2 yes)" != "" ] ; then + replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTP2%" "http2" + else + replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTP2%" "" + fi + replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS" + if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then + replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;" + replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;" + else + replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_DHPARAM%" "" + replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" "" + fi + openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" + if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then + replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" "include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;" + else + replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" "" + fi + else + replace_in_file "/etc/nginx/multisite-default-server.conf" "%USE_HTTPS%" "" + fi + if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] ; then + replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "include /etc/nginx/multisite-disable-default-server.conf;" + else + replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "" + fi +else + replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DEFAULT_SERVER%" "" +fi + # custom log format replace_in_file "/etc/nginx/nginx.conf" "%LOG_FORMAT%" "$LOG_FORMAT" @@ -49,7 +97,7 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}" if [ ! -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then echo "[*] Performing Let's Encrypt challenge for $SERVER_NAME ..." - certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port $HTTP_PORT + /opt/scripts/certbot-new.sh "$DOMAINS_LETS_ENCRYPT" "$EMAIL_LETS_ENCRYPT" fi fi echo "0 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/root @@ -208,30 +256,9 @@ replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list" # disable default site if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] && [ "$MULTISITE" = "yes" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "include /etc/nginx/multisite-disable-default-server.conf;" - replace_in_file "/etc/nginx/multisite-disable-default-server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT} default_server;" - if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$(has_value USE_CUSTOM_HTTPS yes)" != "" ] || [ "$(has_value GENERATE_SELF_SIGNED_SSL yes)" != "" ] ; then - replace_in_file "/etc/nginx/multisite-disable-default-server.conf" "%USE_HTTPS%" "include /etc/nginx/multisite-disable-default-server-https.conf;" - replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%HTTPS_PORT%" "$HTTPS_PORT" - if [ "$(has_value HTTP2 yes)" != "" ] ; then - replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%HTTP2%" "http2" - else - replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%HTTP2%" "" - fi - replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS" - if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then - replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;" - replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;" - else - replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%SSL_DHPARAM%" "" - replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%SSL_CIPHERS%" "" - fi - openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" - else - replace_in_file "/etc/nginx/multisite-disable-default-server.conf" "%USE_HTTPS%" "" - fi + replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "include /etc/nginx/multisite-disable-default-server.conf;" else - replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "" + replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "" fi # fail2ban setup diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh index c7947e2..41968a7 100644 --- a/entrypoint/site-config.sh +++ b/entrypoint/site-config.sh @@ -22,6 +22,9 @@ if [ "$MULTISITE" = "yes" ] ; then ROOT_FOLDER="${ROOT_FOLDER}/$1" fi +# generate Let's Encrypt certificate before copying configs +# in case we are in autoconf mode and nginx is already running + # copy stub confs if [ "$MULTISITE" = "yes" ] ; then mkdir "$NGINX_PREFIX" @@ -138,7 +141,7 @@ if [ "$REMOTE_PHP" != "" ] ; then replace_in_file "${NGINX_PREFIX}server.conf" "%FASTCGI_PATH%" "include ${NGINX_PREFIX}fastcgi.conf;" replace_in_file "${NGINX_PREFIX}php.conf" "%REMOTE_PHP%" "$REMOTE_PHP" if [ "$MULTISITE" = "yes" ] ; then - cp /etc/nginx/fastcgi.conf ${NGINX_PREFIX}fastcgi.conf + cp /etc/nginx/fastcgi.conf ${NGINX_PREFIX}fastcgi.conf && chown root:nginx ${NGINX_PREFIX}fastcgi.conf fi replace_in_file "${NGINX_PREFIX}fastcgi.conf" "\$document_root" "${REMOTE_PHP_PATH}/" else @@ -322,20 +325,23 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1) else FIRST_SERVER_NAME="$1" - EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$1}" if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ] ; then echo "[*] Performing Let's Encrypt challenge for $1 ..." - certbot certonly --standalone -n --preferred-challenges http -d "$1" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port $HTTP_PORT + EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$1}" + /opt/scripts/certbot-new.sh "$1" "$EMAIL_LETS_ENCRYPT" fi fi replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem" replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem" + replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" "include ${NGINX_PREFIX}lets-encrypt-webroot.conf;" elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT" replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY" + replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" "" elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem" replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem" + replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" "" fi else replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" "" diff --git a/examples/multisite-basic/server-confs/app3.website.com/reverse-proxy.conf b/examples/multisite-basic/server-confs/app3.website.com/reverse-proxy.conf deleted file mode 100644 index 6f43f7f..0000000 --- a/examples/multisite-basic/server-confs/app3.website.com/reverse-proxy.conf +++ /dev/null @@ -1,6 +0,0 @@ -proxy_set_header Host $host; -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -location / { - proxy_pass http://myapp3:3000; -} diff --git a/examples/tomcat/server-confs/reverse-proxy.conf b/examples/tomcat/server-confs/reverse-proxy.conf deleted file mode 100644 index 564193a..0000000 --- a/examples/tomcat/server-confs/reverse-proxy.conf +++ /dev/null @@ -1,6 +0,0 @@ -proxy_set_header Host $host; -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -location / { - proxy_pass http://mytomcat:8080/sample; -} diff --git a/scripts/certbot-new.sh b/scripts/certbot-new.sh new file mode 100644 index 0000000..2f8d658 --- /dev/null +++ b/scripts/certbot-new.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +# generate certificate +certbot certonly --webroot -w /acme-challenge -n -d "$1" --email "$2" --agree-tos + +# fix rights +chown -R root:nginx /etc/letsencrypt +chmod -R 740 /etc/letsencrypt +find /etc/letsencrypt -type d -exec chmod 750 {} \; diff --git a/scripts/certbot-renew.sh b/scripts/certbot-renew.sh index e03a3fa..2176d18 100644 --- a/scripts/certbot-renew.sh +++ b/scripts/certbot-renew.sh @@ -1,30 +1,9 @@ #!/bin/sh -function replace_in_file() { - # escape slashes - pattern=$(echo "$2" | sed "s/\//\\\\\//g") - replace=$(echo "$3" | sed "s/\//\\\\\//g") - sed -i "s/$pattern/$replace/g" "$1" -} - -# disable HTTP -servers="$(find /etc/nginx -name server.conf)" -for f in $servers ; do - replace_in_file "$f" "listen" "#listen" -done -if [ -f /tmp/nginx.pid ] ; then - /usr/sbin/nginx -s reload - sleep 10 -fi - -# ask a new certificate if needed +# ask new certificates if needed certbot renew -# enable HTTP again -for f in $servers ; do - replace_in_file "$f" "#listen" "listen" -done - +# fix rights chown -R root:nginx /etc/letsencrypt chmod -R 740 /etc/letsencrypt find /etc/letsencrypt -type d -exec chmod 750 {} \;